Effective: 2026-06-01 · Version: 1.0
This Privacy Policy explains what personal data BakedIn LLC ("BakedIn", "we", "us") collects when you use bakedin.co and its sub-surfaces (Learn, Practice, Adopt, Signal, Wellness marketing landing), how we use it, who we share it with, how long we keep it, and the rights you have over it.
We try to keep this plain. Where a section maps to a specific legal provision we cite it inline so you can verify what we are committing to.
1. Who we are (the controller)
BakedIn LLC is the data controller for personal data collected through bakedin.co. Glen Buchanan is the founder and accountable owner.
- Privacy contact: privacy@bakedin.co
- General contact: glen@bakedin.co
- Mail: BakedIn LLC, address provided on request to the privacy contact above
We have not appointed a Data Protection Officer because we do not meet the GDPR Article 37 thresholds (no large-scale special-category processing, no large-scale systematic monitoring). If that changes we will appoint one and update this notice.
GDPR Art 13(1)(a), Art 37
2. What personal data we collect
We collect the minimum data needed to operate the service.
| Category | Examples | When collected |
|---|---|---|
| Account | Email address, optional display name, optional avatar URL | When you sign in via magic-link (Phase 0) or, later, via a social provider |
| Authentication | Auth.js session token (opaque, in the __Host-bakedin.session cookie), accounts rows for any linked provider, verificationTokens for magic-link delivery | At sign-in |
| Learning activity | learning_events — lesson views, exercise attempts, completions, time-on-task, anonymous session_id stitched forward at sign-in | While you use Learn |
| Wellness (separate surface) | Household + member profiles, dietary/allergy flags, grocery and meal data — held in the separate wellness.bakedin.co surface and encrypted at field level with KMS envelope encryption per ADR-007 | Only if you use the wellness portal |
| Support correspondence | Email content when you write to us | When you reach out |
| Cookies | See Cookie Policy; only the necessary set runs without your consent | Per visit |
We do not ask for and do not knowingly collect:
- Government identifiers (SSN, passport, driver's licence)
- Payment card data — Stripe will handle payments when we add them; we never touch card numbers
- Special categories under GDPR Art 9 (health, ethnicity, religion, biometric, sexual orientation) — the wellness surface processes health-adjacent inputs you choose to enter, but BakedIn does not market itself as a HIPAA-covered system and does not hold PHI today
GDPR Art 5(1)(c) (data minimisation), Art 13(1)(c), Cal. Civ. Code §1798.100(a)
3. Why we use it, and the legal basis for each use
| Purpose | Data used | Legal basis |
|---|---|---|
| Run your account and sign you in | Account + authentication | Contract — GDPR Art 6(1)(b) |
| Show your progress, mastery, and resume-where-you-left-off | Learning activity | Contract — Art 6(1)(b) |
| Improve the platform (which lessons confuse learners, which exercises stall) | Aggregated, account-keyed learning activity | Legitimate interest — Art 6(1)(f). You can object — see Section 7 |
| Send the Signal weekly digest (only if you subscribe) | Consent — Art 6(1)(a). You can withdraw any time via the unsubscribe link | |
| Respond to support emails you send us | Whatever you wrote | Legitimate interest — Art 6(1)(f) |
| Detect and prevent abuse (rate limiting, fraud) | Authentication metadata, IP, request logs | Legitimate interest — Art 6(1)(f) |
| Comply with law (tax, audit, lawful request) | As required | Legal obligation — Art 6(1)(c) |
We do not sell your personal data and we do not "share" it for cross-context behavioural advertising as those terms are defined in the California Privacy Rights Act.
GDPR Art 13(1)(c), Art 6; Cal. Civ. Code §1798.120, §1798.140(ah)
4. Who we share it with (sub-processors)
We use a small, vetted set of sub-processors to operate the service. Each is bound by a data-processing agreement no less protective than this notice. The current list:
| Sub-processor | Role | Region |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure — RDS, S3, CloudFront, Cognito, KMS, Secrets Manager, Bedrock | us-east-1 (primary) + us-west-2 (DR for wellness KMS multi-region key) |
| Anthropic, PBC | Claude inference, accessed via AWS Bedrock (data does not leave the Bedrock boundary) | us-east-1 via Bedrock |
| Google LLC | Google Workspace (transactional email seam, internal documents). Sign in with Google added in Phase 1 if you choose it | US |
| ElevenLabs | Optional text-to-speech generation for lesson audio narration | US |
| Google Gemini | Hero image generation for marketing surfaces (no user data sent) | US |
| Stripe | Payment processing — added when we ship paid plans; not in use today | US |
Engineering audit logs of every Bedrock invocation (prompts + responses) are written to S3 in our account so we can answer "what did the system do with this request" with evidence. Access to those logs is restricted to BakedIn personnel under the Information Security Policy.
We will update this list when we add or remove a sub-processor. If you sign up for change notifications via Signal we will note material changes there.
GDPR Art 13(1)(e), Art 28; CCPA §1798.140(ag) "service provider"
5. International transfers
BakedIn is operated from the United States. If you access the service from the European Economic Area, the United Kingdom, or Switzerland, your data is transferred to the US.
We rely on:
- Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with our sub-processors, where applicable; and
- The EU-US Data Privacy Framework for sub-processors that are certified (notably AWS and Google).
A copy of the relevant SCCs or DPF certifications is available on request to privacy@bakedin.co.
GDPR Art 13(1)(f), Art 46(2)(c), Art 45
6. How long we keep it (retention)
| Category | Retention |
|---|---|
| Account record | Until you delete the account, then a 30-day soft-delete window before purge |
verificationTokens (magic-link) | 15 minutes (token lifetime); rows purged at expiry |
sessions | 30 days from last activity; purged on sign-out |
learning_events | 24 months rolling, then aggregated to anonymous cohort metrics |
| Wellness data | Until you delete the household member, then immediate purge; envelope-encrypted columns are crypto-shredded by key rotation if you request it |
| Support correspondence | 24 months from the last reply |
| Bedrock invocation audit logs | 13 months, with the user identifier hashed after 90 days |
| Backup snapshots | 35 days (RDS automated backups); deletion requests propagate at the next snapshot rotation |
After your account is purged we may retain anonymised aggregates (cohort completion rates, etc.) that no longer identify you.
GDPR Art 13(2)(a), Art 5(1)(e)
7. Your rights
Under GDPR (Art 15-22) and CCPA (§1798.100-1798.130) you have the right to:
- Access — get a copy of the personal data we hold about you
- Rectify — correct anything inaccurate
- Erase — have it deleted ("right to be forgotten")
- Restrict — pause processing while a dispute is resolved
- Object — to processing based on legitimate interest, including the platform-improvement use in Section 3
- Portability — get your data in a structured, machine-readable format (JSON export)
- Withdraw consent — for anything we do under consent (e.g. Signal, optional functional/analytics cookies)
- Not be subject to a decision based solely on automated processing — see Section 9 below
- Non-discrimination for exercising any of these rights (CCPA)
To exercise any right, email privacy@bakedin.co from the address on your account. We will respond within 30 days under GDPR and 45 days under CCPA (extendable once where the law allows). We do not charge a fee unless a request is manifestly unfounded or excessive.
CCPA residents specifically have the right to:
- Know what categories of personal information we collect, the sources, the purposes, and the third parties we disclose to (Section 2-4 above)
- Request deletion (Cal. Civ. Code §1798.105)
- Correct inaccurate personal information (§1798.106)
- Opt out of "sale" or "sharing" — we do not sell or share as defined, so there is nothing to opt out of, but this is your right if that ever changes (§1798.120)
- Limit use of sensitive personal information (§1798.121) — we do not use sensitive PI beyond what is necessary to provide the service
- Designate an authorised agent to act on your behalf (§1798.135(c))
GDPR Art 15-22; Cal. Civ. Code §1798.100, .105, .106, .110, .115, .120, .121, .125, .130, .135
8. Right to complain to a supervisory authority
If you believe we have mishandled your personal data:
- EEA residents — contact your local data protection authority. A list is at edpb.europa.eu/about-edpb/about-edpb/members_en.
- UK residents — contact the Information Commissioner's Office.
- California residents — contact the California Privacy Protection Agency or the California Attorney General.
You can also write to us first — we would rather fix it.
GDPR Art 13(2)(d), Art 77
9. Automated decision-making and the agent loop
BakedIn is built on an agentic system. Specifically:
- A captain process scans open work items and dispatches them to task-specific agents.
- A coding_agent drafts code and content changes as pull requests, grounded in our internal corpus (every claim cites a paper_id).
- A Proof grader verifies citation hygiene before a PR can merge.
- Every PR is reviewed and approved by a human (Glen Buchanan) before it lands in production.
What this means for you:
- We do not use solely automated processing to make decisions that produce legal or similarly significant effects about you (GDPR Art 22(1)). Lesson placement, content recommendation, and the like are not "solely automated" — they are deterministic ranking over data you have consented to provide.
- We do not profile you for credit, insurance, employment, or any consequential outcome.
- We do personalise lesson order based on your stated pathway and completed lessons. You can opt out of any AI-personalised content via /account/preferences (Phase 1; see also the AI Use Disclosure).
If we ever introduce automated processing under Art 22, we will update this notice and offer human review on request.
GDPR Art 13(2)(f), Art 22
10. Children
BakedIn is not directed to children under 13 (US) or under 16 (EEA). We do not knowingly collect personal information from anyone in those age ranges. If you believe a child has provided us personal data, email privacy@bakedin.co and we will delete the account.
COPPA 15 USC § 6501; GDPR Art 8
11. Security
We protect your data with technical and organisational measures described in our internal Information Security Policy, including:
- TLS in transit, AES-256 at rest (KMS-managed)
- Field-level envelope encryption on declared PII columns (ADR-007)
- Least-privilege IAM, MFA on administrative accounts
- Centralised logging (Bedrock invocations, application audit log), with the audit table staged in migration 0012
- Annual policy review and incident response plan
No system is perfectly secure. If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify you without undue delay where required.
GDPR Art 32, Art 33, Art 34
12. Changes to this notice
We will update this notice when our processing changes. Material changes will be highlighted at the top of this page and announced via Signal (if you subscribe). The effective date and version above are authoritative.
| Version | Date | Change |
|---|---|---|
| 1.0 | 2026-06-01 | Initial publication |
13. Contact
For anything privacy-related: privacy@bakedin.co
For everything else: glen@bakedin.co
Maintained by BakedIn LLC. Licensed CC BY-NC 4.0. The source of this
document is version-controlled at app/(legal)/_content/privacy-policy.md
in the bakedin-prod/frontend repository.